SCADA system that would be fully inte-grated
with its enterprise business sys-tems.
A brief description of the proposed
activities required to support the final
built-out master system was developed for
each of the 20 projects. Items considered in-cluded
system criticality, required invest-ment,
stakeholders impacted, and a rec-ommended
schedule for implementation.
The Project Portfolio was forward thinking
and included internal projects and Cap-ital
Improvement Projects (CIPs) as well
as projects with recurring Operations &
Maintenance (O&M) costs, including the
expansion of the Goldsworthy Desalter,
upgrades at the Vander Lans AWTF, and
construction and operations at the future
GRIP AWTF.
Using data from the Master Plan (com-pleted
in May 2016), WRD embarked on
development of new SCADA standards
as the basis for integrating all its existing
and future WRD facilities. By the end of
2018, it expects to have fully established
a centralized master SCADA system that
will allow it to efficiently manage, moni-tor,
and maintain all of its facilities. In ad-dition,
WRD recently initiated a Comput-erized
Maintenance Management System
(CMMS) Pilot Project at the Vander Lans
AWTF, where the SCADA system will be
the key data provider to the new CMMS
system for asset maintenance and repair.
Understanding the SCADA
System’s Threat Position
Without an evolving security strategy,
most modern water and wastewater SCA-DA
systems are likely to be exposed to cy-ber
threats. Thus, a key benefit of WRD’s
SCADA System Master Plan was identi-fication
and assessment of the differing
cyber threat positions associated with the
planned integration of WRD’s enterprise
business systems and facilities into the fi-nal
built-out master SCADA system. One
of the unique challenges WRD faces is that
its existing treatment facilities are currently
operated by sister agencies. Master Plan site
assessments identified potential cybersecu-rity
issues such as undocumented network
devices in the industrial control network
added by other agencies to facilitate facility
monitoring and operation.
Routine system access by contractors,
vendors, system integrators, mainte-nance,
and even potential support staff
(e.g., cleaning and chemical delivery),
20 SOURCE winter 2017
CYBERSECURITY ROADMAP
SCADA MASTER PLAN
• Usual first step in developing SCADA security defense.
• Documents recommendations.
• Provides decision-makers sufficient technical detail to understand
present potential for breaching, even with
the most securely air-gapped systems.
WRD also quickly recognized that the
new GRIP AWTF would potentially create
multiple entry points for cyber threat and
additional challenges to the protection of
its infrastructure and business enterprise
systems. For example, as part of WRD’s
commitment to community outreach, the
AWTF will be open to visitors and have
regular guided tours as well as a roof gar-den
of drought tolerant plants for visitors
to explore. It will provide Wi-Fi access for
visitors as well as an open balcony area
for visitors to look down on the water
treatment process. In addition to the vis-itor
Wi-Fi, the GRIP AWTF must support
SCADA and business wired and wireless
networks. With so many stakeholders
beyond the WRD staff, such as operators
and maintenance staff at its facilities, con-tractors,
vendors and integrators, as well
solutions.
• Typically affects large portions of the organization.
• Includes changes to processes and implementation of new technology.
• Provides a reference to assess that objectives are being met.
ANNUAL SECURITY STATUS RISK ASSESSMENT
Data
• What kind of data is produced?
• Which is most sensitive?
• Where is it stored? How does it traverse the network?
• Who has access? How is it secured?
Network Audit
• Complete device inventory: purpose, configuration, software.
• Assess physical security: network racks, closets, server rooms, identify
abandoned equipment still connected to network, software that
has not been patched in years, weak passwords, remote user access
control, unauthorized server room access.
Assign Levels of Risk. Develop a priority checklist; use for
budgeting/scheduling.
PENETRATION TESTING
• In-depth look at network vulnerabilities.
• Performed after cybersecurity defense posture is constructed/
implemented.
• Subjects network and devices to the same hacking methods as an
attacker, e.g., reconnaissance, scanning, enumeration, escalation,
assault, obfuscation.
• Standard for testing IT business networks.
• Requires in-depth understanding of SCADA processes/devices,
especially older systems. S